O365 URL rewrite

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

O365 URL rewrite

L2 Linker

I'm using minemeld to pull the O365 urls into my PAN. I get a list that has entries like
*.domain.com
sub.domain1.com

 

I need to import those entries and rewrite them so they look like
*.domain.com/
domain.com/
*.sub.domain1.com/
sub.domain1.com/

 

Any pointers would be appreciated.

25 REPLIES 25

Hi @ckemp,

you need 0.9.52.post1, not available yet on the binary update channel. I will publish it tomorrow.

 

Luigi

@ckemp @Sec101, I have just published the binary package of 0.9.52.post1 to the update channel. This contains the improvement to the output feed to cope with PAN-OS limitation.

Updated Minemeld.

image.png

Restart Minemeld engine and force import on PA. Not showing up in EDL.

image.png

 

Could you check directly the MineMeld feed with the browser?

 

luigi

Pulled the file into Notepad++

image.png

Hi @ckemp,

are you adding ?v=panosurl at the end of your feed URL?

The link in the EDL config should have the form:

https://<minemeld>/feeds/<feedname>?v=panosurl

Adding "?v=panosurl" was the final piece. I am now seeing the correctly parsed url list. Thank you for your help.

image.png

@lmori

Can you clarify the ?v=panosurl designation

 

We are using hosted version of minemeld, and does that affect this designation, or is this for internal hosted servers only? 

It's an internal server.

Hi @Sec101,

this applies to both hosted and community version of MineMeld. Basically translates on the fly a list of URLs in a format that can be parsed by PAN-OS. More details about the different parameters here: https://live.paloaltonetworks.com/t5/MineMeld-Articles/Parameters-for-the-output-feeds/ta-p/146170

Ah, thank you.  I see. I can see the value in the URL listing, as some of those tokens don't appear to match the correct format otherwise.  It looks like our firewalls are using the   x.x.x.x-x.x.x.x   ranges correctly, but is it preffered to utilize the ?tr=1 

CIDR option instead of the range?  

 

 

  • 11824 Views
  • 25 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!